Summary: Kaspersky Labs has uncovered sophisticated techniques used by the ToddyCat group to disguise their malicious activities by embedding them within legitimate security software. A newly identified tool, TCESB, uses DLL proxying to execute payloads while avoiding detection by legitimate applications. The ToddyCat group exploited a vulnerability in ESET’s Command line scanner to introduce this stealthy tool into the affected systems.
Affected: ESET Command line scanner (ecls.exe), Windows operating systems
Keypoints :
- TCESB identified as “Trojan.Win64.ToddyCat.a” and “Trojan.Win64.ToddyCat.b”.
- Employs DLL proxying to execute malicious code while mimicking legitimate software activity.
- Exploits vulnerability CVE-2024-11859 in ESET’s Command line scanner to load its malicious DLL.
- Utilizes techniques like Bring Your Own Vulnerable Driver (BYOVD) and modifies kernel structures.
- Kaspersky recommends monitoring for known vulnerable drivers and checking digital signatures of loaded libraries.